US11917076B2 - Terminal registration system and terminal registration method - Google Patents
Terminal registration system and terminal registration method Download PDFInfo
- Publication number
- US11917076B2 US11917076B2 US17/824,488 US202217824488A US11917076B2 US 11917076 B2 US11917076 B2 US 11917076B2 US 202217824488 A US202217824488 A US 202217824488A US 11917076 B2 US11917076 B2 US 11917076B2
- Authority
- US
- United States
- Prior art keywords
- registration
- terminal
- service site
- fido
- authenticator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
- 238000000034 method Methods 0.000 title claims abstract description 98
- 238000010586 diagram Methods 0.000 description 32
- 230000004044 response Effects 0.000 description 29
- 238000012790 confirmation Methods 0.000 description 25
- 238000012545 processing Methods 0.000 description 22
- 230000006870 function Effects 0.000 description 21
- 238000004891 communication Methods 0.000 description 19
- 210000003462 vein Anatomy 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 2
- NRNCYVBFPDDJNE-UHFFFAOYSA-N pemoline Chemical compound O1C(N)=NC(=O)C1C1=CC=CC=C1 NRNCYVBFPDDJNE-UHFFFAOYSA-N 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
Definitions
- the present invention relates to a terminal registration system and a terminal registration method.
- FIDO Fast IDentity Online
- FIDO a different public key and private key pair is generated for each service, and the public key is placed on the service site side and the private key is locked in a terminal.
- the use of the private key (the signature in challenge and response authentication) is based on the assumption that biometric authentication is performed on the terminal, and the use of the private key takes place within an Authenticator, which prevents the private key from exiting the terminal so high security is achieved.
- FIDO authentication Registration of a terminal needs to be performed on a service site in advance, and a public key of the terminal needs to be associated with the account. In standard technology, Registration is assumed to be performed after logging into an account with an authentication method other than FIDO.
- FIG. 9 is a diagram illustrating features of the standard technology (FIDO). As illustrated in FIG. 9 , a terminal 1 and a terminal 2 are access controlled by biometric authentication or the like. The terminal 1 and the terminal 2 , and a service site A 21 and a service site B 22 are authenticated by a FIDO protocol. The user accesses the service site A 21 and the service site B 22 using the terminal 1 , and accesses the service site A 21 and the service site B 22 using the terminal 2 .
- FIDO standard technology
- the service site A 21 and the service site B 22 register individual keys for each terminal.
- the terminal 1 and the terminal 2 generate individual key pairs for each site.
- Public keys 1 -A and 2 -A have been registered for the service site A 21
- public keys 1 -B and 2 -B have been registered for the service site B 22 .
- An Authenticator 10 (secure region) of the terminal 1 stores a private key 1 -A paired with the public key 1 -A and a private key 1 -B paired with the public key 1 -B.
- the Authenticator 10 (secure region) of the terminal 2 stores a private key 2 -A paired with the public key 2 -A and a private key 2 -B paired with the public key 2 -B.
- FIG. 10 is a diagram illustrating registration of a new terminal with the standard technology (FIDO).
- a terminal 2 in FIG. 10 is a newly added terminal (hereinafter referred to as a new terminal 2 ) in addition to the terminal 1 .
- the new terminal 2 results from addition or change of a terminal (for example, having two of a smartphone and a tablet terminal, or changing the terminal).
- FIDO authentication In order to utilize FIDO authentication by the new terminal 2 , Registration of a terminal needs to be performed on the service site in advance, and a public key of the terminal needs to be associated with the account.
- a Client To Authenticator Protocol is defined as a protocol for performing FIDO authentication using an Authenticator external to a terminal (see NPL 2).
- FIG. 11 is a diagram illustrating technique 1 for Registration of a key of a new terminal using the CTAP.
- CTAP which is illustrated by a cylindrical shape in FIG. 11
- Session which is illustrated by a cylindrical shape, indicates that a Session has been established in the communication path.
- Procedure 1 Access a registration target service site with a new terminal 2 .
- Procedure 2 The new terminal 2 logs in using a terminal 1 as an external Authenticator (using the CTAP) and performing FIDO authentication with a registered private key.
- Procedure 3 Establish a communication session between the service site (the service site A 21 ) and the new terminal 2 .
- Procedure 4 Register a key of an Authenticator of the new terminal 2 itself via the established communication session.
- FIG. 12 is a diagram illustrating technique 2 for Registration of a new terminal key using the CTAP.
- Procedure 1 Access a registration target service site (the service site A 21 ) with a terminal 1 .
- Procedure 2 Log in by performing FIDO authentication with a registered private key in an Authenticator of the terminal 1 itself.
- Procedure 3 Establish a communication session between the service site and the terminal 1
- Procedure 4 The terminal 1 utilizes a new terminal 2 as an external Authenticator (using the CTAP) and registers a key of the external Authenticator (the new terminal 2 ).
- NPL 1 FIDO Alliance, “SIMPLER, STRONGER AUTHENTICATION”, FIDO is the World's Largest Ecosystem for Standards-Based, Interoperable Authentication [online], [Searched on Jan. 20, 2018], Internet (https://fidoalliance.org/)
- NPL 2 R. Lindemann, et al., FIDO 2.0: Client To Authenticator Protocol, FIDO Alliance Review Draft, 2016. [Searched on Jan. 20, 2018], Internet (URL: https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html)
- NPL 3 Nishimura, et al., “Study on Secure Sharing of User Authentication Private Key between Terminals Belonging to Same Owner”, The Institute of Electronics, Information and Communication Engineers Technical Research Report, IN2016-172, pp. 449-454, 2017.
- NPL 4 A. Takakuwa, et al., “The Transfer Access Protocol-Moving to New Authenticators in the FIDO Ecosystem”, Technical Report UW-CSE-17-06-01, The University of Washington, 2017.
- FIG. 13 is a diagram illustrating a problem in achieving available states for multiple service sites.
- FIG. 13 illustrates an example of technique 1 of FIG. 11 but the same applies to technique 2 of FIG. 12 .
- a registered terminal 1 utilizes a number of service sites (a service site A 21 , a service site B 22 , a service site C 23 , and a service site D 24 ).
- An Authenticator 10 (secure region) of the terminal 1 stores a private key 1 -A paired with a public key 1 -A, a private key 1 -B paired with a public key 1 -B, a private key 1 -C paired with a public key 1 -C, and a private key 1 -D paired with a public key 1 -D.
- a user accesses (for example, via URL input, search site) respective target sites to start Registration.
- known techniques have problems as described below.
- the user needs to actively access (URL input, page transitions through search engine, or the like) to each of service sites to perform Registration. This causes a problem that the work burden is increased depending on the number of service sites.
- Registration of the new terminal 2 needs to be performed without exception for all service sites in use by the registered terminal 1 . This causes a problem that the user has a burden to know all of the service sites in use.
- an object of the present invention is to provide a terminal registration system and a terminal registration method for improving user convenience in registration of a new terminal on a plurality of service sites.
- the invention according to claim 1 is a terminal registration system in which a plurality of terminals performing Fast IDentity Online (FIDO) authentication using private keys are communicatively connected to a plurality of service sites utilized by the plurality of terminals, and a new terminal is registered on a plurality of the service sites using a registered terminal, the registered terminal including service site list information that associates the private keys and URLs for access to the plurality of service sites with each other in an Authenticator, the terminal registration system including: a registration function unit configured to: acquire the service site list information to perform FIDO authentication for a registration target service site using a private key of the registered terminal, based on the service site list information; and perform Registration of a cryptographic key newly generated at the new terminal.
- FIDO Fast IDentity Online
- the invention according to claim 7 is a terminal registration method for a terminal registration system in which a plurality of terminals performing FIDO authentication using private keys are communicatively connected to a plurality of service sites utilized by the plurality of terminals, and a new terminal is registered on the plurality of service sites using a registered terminal, the registered terminal including service site list information that associates the private keys and URLs for access to the plurality of service sites with each other in an Authenticator, the terminal registration method including the steps of, performed by a registration function unit: acquiring the service site list information to perform FIDO authentication for a registration target service site using a private key of the registered terminal, based on the service site list information; and performing Registration of a cryptographic key newly generated at the new terminal.
- Registration is performed by automatically accessing registration target service sites, based on the service site list information acquired by the registration function unit, so user convenience in terms of Registration on a plurality of service sites can be improved.
- the user does not have a burden of managing service sites on which the user wants to register when the user begins to use a new terminal. Furthermore, work burden on the user is reduced when the number of service sites increases.
- the invention according to claim 2 is the terminal registration system according to claim 1 , wherein the registration function unit is located on the registered terminal side, and the registration function unit logs in to registration target service sites for all private keys registered in the Authenticator of the registered terminal, and performs Registration using the new terminal as an external Authenticator by a CTAP.
- the invention according to claim 3 is the terminal registration system according to claim 1 , wherein the registration function unit is located on the new terminal side, the registration function unit acquires the service site list information from the Authenticator of the registered terminal to perform FIDO authentication to log in to each service site using the registered terminal as an external Authenticator by the CTAP, based on the service site list information, and the new terminal performs Registration related to Authenticator of the new terminal in an established session.
- the invention according to claim 4 is the terminal registration system according to claim 1 , wherein the registration function unit is located on an external device different from the registered terminal and the new terminal, and the registration function unit acquires the service site list information from the Authenticator of the registered terminal to perform FIDO authentication to log in to each service site using the registered terminal as an external Authenticator, based on the service site list information, and subsequently, newly performs Registration using the new terminal as an external Authenticator.
- the registration function unit is located on the external device side, making it possible to minimize functional configuration required on terminal sides.
- the invention according to claim 5 is the terminal registration system according to claim 1 , wherein the registration function unit notifies a user of a registration progress status for each service site.
- the user can confirm the registration progress status for service sites (for example, the number of target sites, the number of registration completion, registration failure). Unauthorized sites can also be identified by specifying invalid sites.
- the invention according to claim 6 is the terminal registration system according to claim 1 , wherein the registration function unit performs retry control for performing a predetermined number of retries in a case where registration on each service site fails.
- the likelihood of being connected can be increased by retry in a case where registration with a certain service site fails due to a communication failure or the like.
- By providing the number of retry times it is possible to reduce access time in a case where the connectivity is low (or there is no connectivity).
- a terminal registration system and a terminal registration method for improving user convenience can be provided in registration of a new terminal to a plurality of service sites.
- FIG. 1 is a diagram illustrating an overview of the present invention.
- FIG. 2 is a configuration diagram illustrating a terminal registration system according to a first embodiment of the present invention.
- FIG. 3 is a sequence diagram illustrating a terminal registration method of the terminal registration system according to the first embodiment.
- FIG. 4 is a configuration diagram illustrating a terminal registration system according to a second embodiment of the present invention.
- FIG. 5 is a sequence diagram illustrating a terminal registration method of the terminal registration system according to the second embodiment.
- FIG. 6 is a configuration diagram illustrating a terminal registration system according to a third embodiment of the present invention.
- FIG. 7 is a sequence diagram illustrating a terminal registration method of the terminal registration system according to the third embodiment.
- FIG. 8 is a sequence diagram illustrating a retry control and progress status notification.
- FIG. 9 is a diagram illustrating features of the standard technology (FIDO).
- FIG. 10 is a diagram illustrating registration of a new terminal in the standard technology (FIDO).
- FIG. 11 is a diagram illustrating technique 1 for Registration of a new terminal key using the CTAP.
- FIG. 12 is a diagram illustrating technique 2 for Registration of a new terminal key using the CTAP.
- FIG. 13 is a diagram illustrating a problem in achieving available states for multiple service sites.
- FIGS. 14 A and 14 B are diagrams illustrating a secure sharing technique for a private key, where FIG. 14 A is a diagram illustrating a sharing technique using a centralized sharing scheme, and FIG. 14 B is a diagram illustrating a sharing technique using a distributed sharing scheme.
- FIG. 15 is a diagram illustrating a technique for improving convenience of reregistration.
- FIGS. 14 A and 14 B are diagrams illustrating a secure sharing technique for a private key, where FIG. 14 A illustrates a sharing technique using a centralized sharing scheme, and FIG. 14 B illustrates a sharing technique using a distributed sharing scheme.
- Techniques for securely sharing a private key between terminals on the basis of identity confirmation information have been proposed (see NPL 3).
- terminals 1 and 2 store authentication keys in a key store 50 .
- the terminals 1 and 2 access the key store 50 by performing access control on the basis of identity confirmation information, and shares the same keys stored in the key store 50 .
- FIG. 14 B in a distributed sharing scheme, key sharing of a registered terminal 1 and a new terminal 2 is performed.
- the registered terminal 1 confirms owner match with the new terminal 2 on the basis of identity confirmation information, and copies authentication keys of the registered terminal 1 to the new terminal 2 in a case where the owner match is confirmed.
- FIDO authentication may be used without newly performing Registration of a new terminal.
- the FIDO specification is based on the assumption that a private key is locked in a terminal, and in order to use any of the aforementioned sharing techniques, a terminal that conforms to the FIDO standard specification cannot be used as it is, and a uniquely extended terminal needs to be used.
- FIG. 15 is a diagram illustrating a technique for improving convenience of reregistration.
- a signature created with a private key of a registered terminal 1 is provided in advance to a new terminal 2 .
- a technique has been proposed in which Registration of the new terminal 2 can be performed in this way at any timing and without user work (see NPL 4).
- Registration is performed automatically (without user work) at the time of initial access to a service site 21 without the user actively accessing all service sites 21 and performing Registration operation in advance at the first time of the new terminal 2 .
- the present technique requires expansion to the FIDO protocol to perform Registration automatically and also requires additional functionality to manage signature information on the new terminal 2 .
- a terminal that conforms to the FIDO standard specification cannot be used as is, and a uniquely extended terminal needs to be used.
- the present invention improves user convenience for registration of a new terminal to a plurality of service sites using a registered terminal.
- FIG. 1 is a diagram illustrating an overview of the present invention.
- a terminal registration system includes service site list information 110 stored by an Authenticator 10 of a registered terminal 1 , and a Registration Manager 100 (registration function unit) serving as a function unit to perform Registration of a new terminal 2 to a plurality of service sites.
- the service site list information 110 is a list of URL for managing private keys and target site URLs (Uniform Resource Locators) in association with each other.
- the service site list information 110 is stored in the Authenticator 10 (authentication device) of the registered terminal 1 .
- the Registration Manager 100 controls both of the registered terminal 1 and the new terminal 2 as described below.
- the Registration Manager 100 acquires, from the registered terminal 1 , the service site list information 110 stored by the Authenticator 10 of the registered terminal 1 (see reference sign a in FIG. 1 ).
- the Registration Manager 100 performs FIDO authentication for a registration target service site using a private key of the registered terminal 1 , and performs Registration of a newly generated cryptographic key at the new terminal 2 .
- the Registration Manager 100 performs the above-described Registration processing automatically for all sites of URLs stored in the service site list information 110 .
- the Registration Manager 100 automatically performs registration of the new terminal 2 using the registered terminal 1 on the all service sites (a service site A 21 , a service site B 22 , . . . ) on the basis of the acquired service site list information 110 (see reference sign b in FIG. 1 ).
- the Registration Manager 100 also displays a registration progress status for a user, or performs retry control or the like at the time of failure due to communication failure, or the like (as described later in FIG. 8 ).
- the Registration Manager 100 performs FIDO authentication on a registration target service A site using a private key 1 -A of the registered terminal 1 (see reference sign c in FIG. 1 ).
- the Registration Manager 100 performs Registration (registration processing) of the newly generated cryptographic key at the new terminal 2 (see reference sign d in FIG. 1 ).
- the above is an example of automatically performing registration of the new terminal 2 using the registered terminal 1 with respect to the service site A 21 , but similar processing is performed for a service site B 22 (see reference signs e and fin FIG. 1 ).
- the Registration Manager 100 performs FIDO authentication for each registration target service site using the private key of the registered terminal 1 for all service sites, and performs Registration of the newly generated cryptographic key at the new terminal 2 .
- the Registration Manager 100 may be located either on the registered terminal 1 side, on the new terminal 2 side, or external to the registered terminal 1 and the new terminal 2 .
- An example of locating the Registration Manager 100 on the registered terminal 1 side is described in the first embodiment
- an example of locating the Registration Manager 100 on the new terminal 2 side is described in the second embodiment
- an example of locating the Registration Manager 100 external to terminals is described in the third embodiment.
- a first embodiment is an example of locating the Registration Manager 100 on the registered terminal 1 side.
- FIG. 2 is a configuration diagram illustrating a terminal registration system according to the first embodiment of the present invention.
- CTAP which is illustrated by a cylindrical shape in FIG. 2
- Session which is illustrated by a cylindrical shape, indicates that a Session has been established in the communication path.
- the terminal registration system includes, in addition to a registered terminal (a terminal 1 ) and a new terminal (a terminal 2 ), service sites 20 and a Domain Name System (DNS) server 30 (see FIG. 3 ) on the network.
- the registered terminal (the terminal 1 ), the new terminal (the terminal 2 ), the service site 20 , and the DNS server 30 are connected by a communication network (not illustrated) and are capable of communicating with each other.
- Each service site 20 includes a Web application server 211 and a FIDO server 212 .
- the Web application server 211 is a Web server having a software execution environment, a cooperative function, and the like.
- the Web application server 211 has a function to connect to and cooperate with the FIDO server 212 to perform complex processing.
- the Web application server 211 is a Web server operated by a service operator running an Electronic Commerce (EC) site, for example, and performs registration and authentication of a user using the service.
- EC Electronic Commerce
- the FIDO server 212 is responsible for FIDO authentication, and only the portion that performs authentication in the Web application server 211 is separated and used as a library.
- Each of the terminals 1 and 2 is an authentication terminal, and is, for example, a mobile terminal such as a smartphone, a mobile phone, and a tablet, a notebook or desktop PC, or one of various electronic devices.
- a smartphone is taken as an example.
- Each of the terminals 1 and 2 logically includes a normal region, which is a region in which a normal application or the like operates, and a region inside an Authenticator 10 (secure region), which is a region managed not to be contaminated by malware or the like (a region that is managed so as not to be invaded fraudulently from the outside).
- the normal region is an environment in which a general application program is executed.
- the normal region is provided with a user agent 11 and a FIDO client 12 .
- the Authenticator 10 is present in a region that is managed so as not to be invaded fraudulently from the outside, and biometric information (such as fingerprint information) is stored.
- the Authenticator 10 is executed in a privilege mode of Central Processing Unit (CPU) or Operating System (OS), and program calls or access to data by the Authenticator 10 is available only through specific programs or specific procedures.
- CPU Central Processing Unit
- OS Operating System
- the Authenticator 10 authenticates a key to perform challenge and response authentication.
- the Authenticator 10 also deals with a part of handling of keys, such as making a key available after performing biometric authentication. Specifically, the Authenticator 10 displays an authentication screen such as fingerprint authentication and authenticates a user.
- the Authenticator 10 also signs a random number or the like acquired from the service site 20 with a user private key and transmits the signed result to the service site 20 .
- the user agent 11 is a browser or the like for the user to access the Web application server 211 of the service site 20 .
- the user agent 11 issues a key registration request and an authentication request by utilizing a Web service to the Web application server 211 of the service site 20 .
- the FIDO client 12 is paired with the FIDO server 212 of the service site 20 , and transmits its user protocol to the FIDO server 212 (FIDO library) and exchanges authentication messages with the FIDO server 212 .
- the FIDO client 12 performs assembly of messages or assembly of protocols, while the Authenticator 10 deals with a part of handling of keys, out of assembly of messages or assembly of protocols performed by the FIDO client 12 .
- the FIDO server 212 having received a request for “start of user authentication” from the Web application server 211 of the service site 20 transmits information, such as a self-generated random number, to the FIDO client 12 via the user agents 11 of the terminals 1 and 2 .
- the FIDO client 12 having received the FIDO authentication request requests the Authenticator 10 for user registration.
- the Authenticator 10 displays an authentication screen such as fingerprint authentication and authenticates the user.
- the Authenticator 10 signs a random number or the like acquired from the Web application server 211 of the service site 20 with a private key and transmits the result to the FIDO server 212 of the service site 20 .
- the FIDO server 212 verifies the received signature (authenticates the user) and returns the authentication result to the Web application server 211 .
- the FIDO server 212 having received the request for “start of user registration” from the Web application server 211 of the service site 20 transmits information, such as a self-generated random number, to the FIDO client 12 via the user agents 11 of the terminals 1 and 2 .
- the FIDO client 12 having received the FIDO registration request requests the Authenticator 10 for user registration.
- the Authenticator 10 displays a registration screen of biometric information, such as a fingerprint, and allows the user to register biometric information. After completion of the registration, the Authenticator 10 generates a key pair of public key encryption and associates the key pair with the user.
- the Authenticator 10 also generates a signature with a private key of the Authenticator 10 in accordance with the public key, the random number acquired from the server, or the like, and transmits the signature via the FIDO client 12 to the FIDO server 212 of the service site 20 .
- the FIDO server 212 verifies the received signature (validity conformation of the Authenticator), registers the public key of the user, and returns the result to the Web application server 211 .
- Terminal 1 (Registered Terminal)
- the registered terminal 1 stores, in the Authenticator 10 , a private key 1 -A paired with a public key 1 -A, a private key 1 -B paired with a public key 1 -B, a private key 1 -C paired with a public key 1 -C, and service site list information 110 .
- the service site list information 110 manages private keys and target site URLs in association with each other. For example, as illustrated in FIG. 2 , the service site list information 110 associates a private key “0A295BE44F . . . ” with a site URL “https://svcA.com”, a private key “129CC8B6A2 . . . ” with a site URL “https://svcB.org”, and a private key “FE0085B126 . . . ” with a site URL “https://svcC.net”. The service site list information 110 may, in addition to association of private keys and target site URLs, use user names to be associated.
- a user with a plurality of user names can use the same URL or, conversely, can change combination of private keys and target site URLs for each user name.
- private keys and target site URLs have not been managed in association with each other.
- the Registration Manager 100 is located on the registered terminal 1 side.
- the Registration Manager 100 performs Registration using the new terminal 2 as an external Authenticator by the CTAP, after logging in target service site, for all the private keys registered in the Authenticator 10 of the registered terminal 1 .
- a terminal registration method of the terminal registration system configured as described above will be described below.
- the Registration Manager 100 is located on the registered terminal 1 side.
- Procedure 1 The Registration Manager 100 acquires the service site list information 110 of the registered terminal 1 from the Authenticator 10 .
- the Registration Manager 100 performs processing of following procedure 2 to procedure 4 for all URLs of the acquired service site list information 110 .
- Procedure 2 The Registration Manager 100 accesses the service site 20 of the registration target URL, based on the acquired service site list information 110 .
- Procedure 3 The Registration Manager 100 utilizes a private key registered in the internal Authenticator 10 of the registered terminal 1 to perform FIDO authentication for and log in to the target service site 20 and establishes a session.
- Procedure 4 The new terminal 2 is used as an external Authenticator 10 by the CTAP to perform Registration of a private key.
- the Registration Manager 100 learns that the registered terminal 1 has a private key of the service site list information 110 by acquiring the service site list information 110 , but does not have means for presenting the private key to the service site 20 . Seeing from the service site 20 , in a case where the Registration Manager 100 of the registered terminal 1 accesses the service site, the service site 20 does not recognize which user it is. Thus, in procedure 3 described above, the Registration Manager 100 utilizes a private key registered in the internal Authenticator 10 of the registered terminal 1 to perform FIDO authentication for and log in to the target service site 20 and establishes a session. Next, in procedure 4 described above, the new terminal 2 is used as an external Authenticator 10 by the CTAP to perform Registration of a private key, to register the new terminal 2 .
- FIG. 3 is a sequence diagram illustrating the terminal registration method of the terminal registration system according to the present embodiment.
- the terminal 1 is a registered terminal, and stores service site list information 110 in the Authenticator 10 .
- the Registration Manager 100 is located in the terminal 1 .
- the terminal 2 is a new terminal.
- the Domain Name System server (DNS) 30 has and uses an extension (SeRVice record (SRV record)) to return a URL of a service provided on a corresponding URL in addition to the most primitive function of converting domain names to IP address formats.
- the DNS server 30 provides, in the form of SRV record, a location of a service for performing reregistration, or the like, provided on the site URL.
- the user performs adding or changing to the new terminal 2 (for example, having two of a smartphone and a tablet terminal, or changing the terminal).
- Registration of a terminal needs to be performed on the service site in advance, and a public key of the terminal needs to be associated with the account.
- FIDO Registration of a private key needs to be performed for each Web service.
- a user start operation is transmitted to the Registration Manager 100 of the registered terminal 1 (hereinafter referred to as the Registration Manager 100 ) (step S 101 ), and the Registration Manager 100 transmits a request for performing FIDO authentication at the new terminal 2 to a FIDO client 12 of the registered terminal 1 (step S 102 ).
- the FIDO client 12 of the registered terminal 1 establishes a CTAP channel with an Authenticator 10 of the new terminal 2 (step S 103 ).
- the FIDO client 12 of the registered terminal 1 notifies the Registration Manager 100 of this CTAP channel establishment in a case where the CTAP channel is established (step S 104 ).
- the Registration Manager 100 transmits an acquisition request for the service site list information 110 (see FIG. 2 ) to the Authenticator 10 of the registered terminal 1 (step S 105 ).
- the Authenticator 10 of the registered terminal 1 performs user confirmation to prevent unintended fraudulent acquisition of the list (step S 106 ).
- the user confirmation is user authentication using biometric information (fingerprint, face, iris, vein), information using Personal Identification Number (PIN) code authentication, or the like.
- the Authenticator 10 transmits the service site list information 110 stored in the Authenticator 10 to the Registration Manager 100 (step S 107 ).
- acquisition of the service site list information of procedure 1 of FIG. 2 .
- the subsequent sequence corresponds to a process repeated for all the sites in the service site list information (corresponding to procedures 2 to 4 in FIG. 2 , see a frame with a dot-dash line in FIG. 3 ).
- the Registration Manager 100 transmits a DNS query to the DNS server 30 with reference to the acquired service site list information 110 (see FIG. 2 ), and inquires for a URL (hereinafter referred to as a registration endpoint) for access to a reregistration service provided on the site (step S 108 ).
- the DNS server 30 transmits the registration endpoint to the Registration Manager 100 , and the Registration Manager 100 acquires the registration endpoint (step S 109 ).
- the Registration Manager 100 transmits the acquired registration endpoint to a user agent 11 of the registered terminal 1 (step S 110 ).
- the user agent 11 of the registered terminal 1 accesses the registration endpoint on a Web application server 211 of a service site 20 (step S 111 ).
- the Web application server 211 of the service site 20 outputs a FIDO authentication request to a FIDO server 212 to start FIDO authentication (step S 112 ).
- a FIDO standard Authentication operation is performed via the Web application server 211 of the service site 20 , the user agent 11 and the FIDO client 12 of the registered terminal 1 , between the FIDO server 212 of the service site 20 and the Authenticator 10 of the registered terminal 1 .
- the FIDO standard Authentication operation is to perform FIDO authentication for a registration target service site using a private key stored in the internal Authenticator 10 of the registered terminal 1 .
- the FIDO server 212 of the service site 20 issues a FIDO Authentication Request to the Web application server 211 (step S 113 ), and the Web application server 211 transmits this FIDO Authentication Request to the user agent 11 of the registered terminal 1 (step S 114 ).
- the user agent 11 of the registered terminal 1 transmits the FIDO Authentication Request to the FIDO client 12 (step S 115 ), and the FIDO client 12 transmits this FIDO Authentication Request to the Authenticator 10 of the registered terminal 1 (step S 116 ).
- the Authenticator 10 of the registered terminal 1 performs user confirmation by biometric authentication with biometric information (fingerprint, face, iris, vein) (step S 117 ).
- biometric information fingerprint, face, iris, vein
- step S 117 biometric authentication needs to be repeated for all service sites.
- the biometric authentication in step S 117 is preferably as simple as possible, and examples include biometric authentication with a fingerprint. It is admitted that re-authentication within a predetermined period of time is omitted in extended functionality of the standard technology (FIDO).
- FIDO separates identity confirmation with biometric authentication and server authentication at the terminal, and does not transmit a password to the service site 20 , and thus there is no risk of leak of personal information.
- a random number (challenge string) is generated by the FIDO server 212 (first stage in step S 113 ), and the random number is signed with a private key of the Authenticator 10 to return.
- the Authenticator 10 of the registered terminal 1 signs the random number generated by the FIDO server 212 with the private key of the Authenticator 10 (step S 118 ).
- the Authenticator 10 transmits a FIDO Authentication Response signed with the private key to the FIDO client 12 (step S 119 ), the FIDO client 12 transmits this FIDO Authentication Response to the user agent 11 of the registered terminal 1 (step S 120 ), and the user agent 11 transmits the FIDO Authentication Response to the Web application server 211 of the service site 20 (step S 121 ).
- the Web application server 211 of the service site 20 transmits the FIDO Authentication Response to the FIDO server 212 of the service site 20 (step S 122 ).
- step S 113 to step S 122 correspond to the FIDO standard Authentication operation for logging in by utilizing the internal Authenticator 10 of the registered terminal 1 (which holds the registered key).
- the FIDO server 212 of the service site 20 transmits FIDO authentication OK to the Web application server 211 of the service site 20 (step S 123 ), to establish a TLS Session between the Web application server 211 of the service site 20 and the user agent 11 of the registered terminal 1 (step S 124 ). Once the TLS Session is established, the Web application server 211 notifies the FIDO server 212 of FIDO registration start (step S 125 ).
- a FIDO standard Registration operation is to perform Registration using the new terminal 2 as an external Authenticator 10 by the CTAP.
- the FIDO server 212 of the service site 20 issues a FIDO Registration Request to the Web application server 211 (step S 126 ), and the Web application server 211 transmits this FIDO Registration Request to the user agent 11 of the registered terminal 1 (step S 127 ).
- the user agent 11 of the registered terminal 1 transmits the FIDO Registration Request to the FIDO client 12 of the registered terminal 1 (step S 128 ), and the FIDO client 12 transmits this FIDO Registration Request to the Authenticator 10 of the new terminal 2 (step S 129 ).
- the Authenticator 10 of the new terminal 2 performs user confirmation by biometric authentication with biometric information (fingerprint, face, iris, vein), or the like (step S 130 ). Note that in order to reduce user burden, for the biometric authentication, biometric authentication by a fingerprint, for example, is performed. Authentication within a predetermined time may be omitted.
- biometric information fingerprint, face, iris, vein
- the Authenticator 10 of the new terminal 2 newly generates a FIDO authentication (unregistered) private key using the CTAP (step S 131 ).
- the Authenticator 10 of the new terminal 2 transmits the generated private key to the FIDO client 12 of the registered terminal 1 (step S 132 ).
- the FIDO client 12 of the registered terminal 1 transmits the generated private key to the user agent 11 of the registered terminal 1 (step S 133 ).
- the user agent 11 of the registered terminal 1 transmits this FIDO Authentication (unregistered) private key as a FIDO Registration Response to the Web application server 211 of the service site 20 (step S 134 ).
- the Web application server 211 of the service site 20 transmits this FIDO Registration Response to the FIDO server 212 (step S 135 ).
- step S 126 to step S 135 described above the new terminal (the terminal 2 ) is used as an external Authenticator by the CTAP to perform Registration of the newly generated private key. These steps correspond to the FIDO standard Registration operation.
- the FIDO server 212 of the service site 20 transmits FIDO authentication OK to the Web application server 211 of the service site 20 in response to reception of the FIDO Registration Response (step S 136 ).
- the Web application server 211 transmits registration completion of the FIDO Registration Request to the user agent 11 of the registered terminal 1 (step S 137 ).
- the user agent 11 notifies the Registration Manager 100 of completion of the registration of the FIDO Registration Request (step S 138 ).
- the Registration Manager 100 confirms that FIDO authentication for the registration target service site using the private key of the registered terminal 1 , and Registration of the newly generated keys at the new terminal 2 is completed, for all service sites. In a case where the Registration of keys of the new terminal 2 for all service sites is completed, the Registration Manager 100 issues a completion notification to the user to terminate the sequence (step S 139 ).
- the Registration Manager 100 repeats the process for all sites in the service site list information, there may be a case where registration of a certain service site is not completed due to a communication failure or the like. Displaying a registration progress status for the user improves convenience for the user. The retry control and the display control of a registration progress status is described later in FIG. 8 .
- the terminal registration system is a system for registering a new terminal 2 to a plurality of service sites 20 using a registered terminal 1
- the registered terminal 1 includes an Authenticator 10 including service site list information 110 that associates private keys with URLs for access to service sites.
- the Registration Manager 100 acquires the service site list information 110 from the Authenticator 10 of the registered terminal 1 .
- the Registration Manager 100 performs FIDO authentication for a registration target service site using a private key of the registered terminal 1 , on the basis of the acquired service site list information 110 , and performs Registration of a newly generated cryptographic key at the new terminal 2 .
- the Registration Manager 100 is located on the registered terminal 1 side.
- the Registration Manager 100 logs in to registration target service sites for all the private keys registered in the Authenticator 10 of the registered terminal 1 , and performs Registration using the new terminal 2 as an external Authenticator 10 by the CTAP.
- the Registration Manager 100 acquires the service site list stored in the registered terminal 1 and starts Registration for all of the services, the burden, on the user, of managing service sites that are being utilized (Registration is demanded to be performed at the beginning of using the new terminal) by the user is eliminated.
- the Registration Manager 100 is located on the registered terminal 1 side, so the registration result is displayed on the registered terminal 1 originally used.
- the registered terminal 1 is a terminal familiar to the user. The user can confirm the registration result on the familiar registered terminal 1 side.
- the second embodiment is an example of locating the Registration Manager 100 on the new terminal 2 side.
- FIG. 4 is a configuration diagram illustrating a terminal registration system according to the second embodiment of the present invention. Components identical to those in FIG. 2 are labeled with the same reference signs, and descriptions of overlapping parts will be omitted.
- CTAP which is illustrated by a cylindrical shape in FIG. 4
- Session which is illustrated by a cylindrical shape, indicates that a Session is established in the communication path.
- a terminal 1 is a registered terminal 1
- a terminal 2 is a new terminal 2 .
- the registered terminal 1 stores, in the Authenticator 10 , a private key 1 -A paired with a public key 1 -A, a private key 1 -B paired with a public key 1 -B, a private key 1 -C paired with a public key 1 -C, and service site list information 110 .
- a Registration Manager 100 is located on the new terminal 2 side.
- the Registration Manager 100 acquires the service site list information 110 of all sites from an Authenticator 10 of the registered terminal 1 , and uses the registered terminal 1 as an external Authenticator 10 by the CTAP to perform FIDO authentication and log in to each site.
- the new terminal 2 performs Registration processing related to Authenticator of the terminal in an established session.
- a terminal registration method of the terminal registration system configured as described above will be described below.
- the Registration Manager 100 is located on the new terminal 2 side.
- Procedure 1 The Registration Manager 100 acquires the service site list information 110 of the registered terminal 1 from the Authenticator 10 of the registered terminal 1 .
- the Registration Manager 100 performs processing of following procedure 2 to procedure 4 for all URLs of the acquired service site list information 110 .
- Procedure 2 The Registration Manager 100 accesses the service site 20 of the registration target URL, based on the acquired service site list information 110 .
- Procedure 3 The Registration Manager 100 uses the registered terminal 1 as an external Authenticator 10 by the CTAP to perform FIDO authentication and log in, and establishes a session.
- Procedure 4 The new terminal 2 performs Registration processing related to Authenticator of the terminal in the established session.
- FIG. 5 is a sequence diagram illustrating the terminal registration method of the terminal registration system according to the present embodiment.
- the terminal 1 is a registered terminal, and stores service site list information 110 in the Authenticator 10 .
- a terminal 2 is a new terminal, where a Registration Manager 100 is located.
- Step S 201 Start operation of the user is transmitted to the Registration Manager 100 of the new terminal 2 (hereinafter referred to as the Registration Manager 100 ) (step S 201 ), and the Registration Manager 100 transmits a request for performing FIDO authentication at the new terminal 2 to a FIDO client 12 of the new terminal 2 (step S 202 ).
- the FIDO client 12 of the new terminal 2 establishes a CTAP channel with the Authenticator 10 of the registered terminal 1 (step S 203 ).
- the FIDO client 12 of the new terminal 2 notifies the Registration Manager 100 of the establishment of the CTAP channel (step S 204 ).
- the Registration Manager 100 transmits an acquisition request for the service site list information 110 (see FIG. 4 ) to the Authenticator 10 of the registered terminal 1 (step S 205 ).
- the Authenticator 10 of the registered terminal 1 performs user confirmation to prevent unintended fraudulent acquisition of the list (step S 206 ).
- the user confirmation is user authentication using biometric information (fingerprint, iris, vein), information using PIN, or the like.
- the Authenticator 10 of the registered terminal 1 confirms user confirmation by biometric authentication or the like, the Authenticator 10 transmits the service site list information 110 stored in the Authenticator 10 to the Registration Manager 100 (step S 207 ).
- the above is “acquisition of the service site list information” of procedure 1 of FIG. 4 .
- the subsequent sequence corresponds to a repeat for all the sites in the service site list information (corresponding to procedures 2 to 4 in FIG. 4 , see a frame with a dot-dash line in FIG. 5 ).
- the Registration Manager 100 transmits a DNS query to a DNS server 30 to inquire for a registration endpoint (step S 208 ) with reference to the acquired service site list information 110 (see FIG. 4 ).
- the DNS server 30 transmits the registration endpoint to the Registration Manager 100 , and the Registration Manager 100 acquires the registration endpoint (step S 209 ).
- the Registration Manager 100 transmits the acquired registration endpoint to a user agent 11 of the new terminal 2 (step S 210 ).
- the user agent 11 of the new terminal 2 accesses the registration endpoint on a Web application server 211 of the service site 20 (step S 211 ).
- the Web application server 211 of the service site 20 outputs a FIDO authentication request to a FIDO server 212 to start FIDO authentication (step S 212 ).
- a FIDO standard Authentication operation is performed via the Web application server 211 of the service site 20 , the user agent 11 and the FIDO client 12 of the new terminal 2 , between the FIDO server 212 of the service site 20 and the Authenticator 10 of the registered terminal 1 .
- the FIDO standard Authentication operation illustrated in a frame with a dashed line in FIG. 5 , first acquires a URL list of all sites from the external Authenticator 10 of the registered terminal 1 . Next, for each site, the registered terminal 1 is used as the external Authenticator by the CTAP, to perform FIDO authentication and log in.
- the FIDO server 212 of the service site 20 issues a FIDO Authentication Request to the Web application server 211 (step S 213 ), and the Web application server 211 transmits this FIDO Authentication Request to the user agent 11 of the new terminal 2 (step S 214 ).
- the user agent 11 of the new terminal 2 transmits the FIDO Authentication Request to the FIDO client 12 of the new terminal 2 (step S 215 ), and the FIDO client 12 transmits this FIDO Authentication Request to the Authenticator 10 of the registered terminal 1 (step S 216 ).
- the Authenticator 10 of the registered terminal 1 performs user confirmation by biometric authentication with biometric information (fingerprint, face, iris, vein) or the like (step S 217 ). Note that in order to reduce user burden, for the biometric authentication, biometric authentication by a fingerprint, for example, is performed. Authentication within a predetermined time may be omitted.
- biometric information fingerprint, face, iris, vein
- the Authenticator 10 of the registered terminal 1 signs the random number generated by the FIDO server 212 with a private key of the Authenticator 10 (step S 218 ).
- the Authenticator 10 transmits a FIDO Authentication Response signed with the private key to the FIDO client 12 (step S 119 ), the FIDO client 12 transmits this FIDO Authentication Response to the user agent 11 of the new terminal 2 (step S 220 ), and the user agent 11 of the new terminal 2 transmits the FIDO Authentication Response to the Web application server 211 of the service site 20 (step S 221 ).
- the Web application server 211 of the service site 20 transmits the FIDO Authentication Response to the FIDO server 212 of the service site 20 (step S 222 ).
- step S 213 to step S 222 described above the registered terminal 1 is used as the external Authenticator by the CTAP, to perform FIDO authentication and log in. These steps correspond to the FIDO standard Authentication operation.
- the FIDO server 212 of the service site 20 transmits FIDO authentication OK to the Web application server 211 of the service site 20 (step S 223 ), to establish a TLS Session between the Web application server 211 of the service site 20 and the user agent 11 of the new terminal 2 (step S 224 ). Once the TLS Session has been established, the Web application server 211 notifies the FIDO server 212 of FIDO registration start (step S 225 ).
- the FIDO standard Registration operation is for the new terminal 2 to perform Registration processing related to Authenticator of the terminal in the established session.
- the FIDO server 212 of the service site 20 issues a FIDO Registration Request to the Web application server 211 (step S 126 ), and the Web application server 211 transmits this FIDO Registration Request to the user agent 11 of the new terminal 2 (step S 227 ).
- the user agent 11 of the new terminal 2 transmits the FIDO Registration Request to the FIDO client 12 (step S 228 ), and the FIDO client 12 transmits this FIDO Registration Request to the Authenticator 10 of the new terminal 2 (step S 229 ).
- the Authenticator 10 of the new terminal 2 performs user confirmation by biometric authentication with biometric information (fingerprint, face, iris, vein), or the like (step S 230 ). Note that in order to reduce user burden, for the biometric authentication, biometric authentication by a fingerprint, for example, is performed. Authentication within a predetermined time may be omitted.
- biometric information fingerprint, face, iris, vein
- the Authenticator 10 of the new terminal 2 newly generates a FIDO authentication (unregistered) private key using the CTAP (step S 231 ).
- the Authenticator 10 of the new terminal 2 transmits the generated private key to the FIDO client 12 of the new terminal 2 (step S 232 ).
- the FIDO client 12 of the new terminal 2 transmits the generated private key to the user agent 11 of the new terminal 2 (step S 233 ).
- the user agent 11 of the new terminal 2 transmits this FIDO Authentication (unregistered) private key as a FIDO Registration Response to the Web application server 211 of the service site 20 (step S 234 ).
- the Web application server 211 of the service site 20 transmits this FIDO Registration Response to the FIDO server 212 (step S 235 ).
- step S 226 to step S 235 the new terminal 2 performs Registration processing related to Authenticator of the terminal in the established session. These steps correspond to the FIDO standard Registration operation.
- the FIDO server 212 of the service site 20 transmits FIDO authentication OK to the Web application server 211 of the service site 20 in response to reception of the FIDO Registration Response (step S 236 ).
- the Web application server 211 transmits registration completion of the FIDO Registration Request to the user agent 11 of the new terminal 2 (step S 237 ).
- the user agent 11 notifies the Registration Manager 100 of the registration completion of the FIDO Registration Request (step S 238 ).
- the Registration Manager 100 confirms that Registration of the newly generated keys at the new terminal 2 is completed for all service sites. In a case where the Registration of keys of the new terminal 2 for all service sites is completed, the Registration Manager 100 issues a completion notification to the user to terminate the sequence (step S 239 ).
- the Registration Manager 100 repeats for all sites in the service site list information, there may be a case where registration of a certain service site is not completed due to a communication failure or the like.
- the retry control and the display control of a registration progress status is described later in FIG. 8 .
- the Registration Manager 100 is located on the new terminal 2 side.
- the Registration Manager 100 acquires a URL list of all service sites from the Authenticator 10 of the registered terminal 1 , and uses the registered terminal 1 as the external Authenticator 10 by the CTAP to perform FIDO authentication and log in to all service sites, and the new terminal 2 performs Registration related to Authenticator 10 of the terminal in the established session.
- the Registration Manager 100 automatically makes accesses, in accordance with the URL list acquired from the Authenticator 10 of the registered terminal 1 to perform Registration. This can bring the same benefits as the first embodiment, i.e., improve user convenience in terms of Registration on a plurality of service sites.
- the Registration Manager 100 is located on the new terminal 2 side, so the registration result is displayed on the new terminal 2 .
- the registration result can be confirmed on the side of the new terminal 2 the user is beginning to use.
- the new terminal 2 is often more functional than a terminal that has been used until now, so Registration and registration result display can be performed using resources of the new terminal 2 with higher functionality (for example, high resolution, larger screen, high-speed drawing, high-speed communication, or the like).
- a third embodiment is an example in which the Registration Manager 100 is located on an external device 3 side different from the registered terminal 1 and the new terminal 2 .
- FIG. 6 is a configuration diagram illustrating a terminal registration system according to the third embodiment of the present invention. Components identical to those in FIG. 2 and FIG. 4 are labeled with the same reference signs, and descriptions of overlapping parts will be omitted.
- CTAP which is illustrated by a cylindrical shape in FIG. 5
- Session which is illustrated by a cylindrical shape, indicates that a Session is established in the communication path.
- a terminal 1 is a registered terminal, and a terminal 2 is a new terminal.
- the registered terminal 1 stores, in the Authenticator 10 , a private key 1 -A paired with a public key 1 -A, a private key 1 -B paired with a public key 1 -B, a private key 1 -C paired with a public key 1 -C, and service site list information 110 .
- the external device 3 is, for example, a personal computer (PC).
- the external device 3 may be a Universal Serial Bus (USB) token that is inserted into a USB port of PC.
- USB Universal Serial Bus
- a USB token is a key for using PC, and in a case where no USB token is not present or not enabled, particular data cannot be opened or a network cannot be connected.
- the USB token may also be provided with biometric authentication means such as fingerprint authentication.
- the external device 3 includes a user agent 11 and a FIDO client 12 in a normal region, and an Authenticator 10 in a secure region.
- the Authenticator 10 of the external device 3 corresponds to an external Authenticator when viewed from the terminals 1 and 2 performing the FIDO standard Authentication operation.
- the Registration Manager 100 is located on the external device 3 side different from the registered terminal 1 and the new terminal 2 .
- the Registration Manager 100 acquires a URL list of all service sites from the registered terminal 1 , and performs FIDO authentication using the registered terminal 1 as an external Authenticator to log in to each site. After that, the new terminal 2 is used as an external Authenticator to newly perform Registration.
- a terminal registration method of the terminal registration system configured as described above will be described below.
- the Registration Manager 100 is located on the external device 3 side.
- Procedure 1 The Registration Manager 100 acquires the service site list information 110 of the registered terminal 1 from the Authenticator 10 of the registered terminal 1 .
- the Registration Manager 100 performs processing of following procedure 2 to procedure 4 for all URLs of the acquired service site list information 110 .
- Procedure 2 The Registration Manager 100 accesses the service site 20 of the registration target URL, based on the acquired service site list information 110 .
- Procedure 3 The Registration Manager 100 uses the registered terminal 1 as an external Authenticator 10 by the CTAP to perform FIDO authentication and log in, and establishes a session.
- Procedure 4 After logging in, the new terminal 2 is used as an external Authenticator to newly perform Registration processing.
- FIG. 7 is a sequence diagram illustrating the terminal registration method of the terminal registration system according to the present embodiment.
- the user start operation is transmitted to the Registration Manager 100 of the external device 3 (hereinafter referred to as the Registration Manager 100 ) (step S 301 ), and the Registration Manager 100 transmits a request for performing FIDO authentication at the new terminal 2 for a FIDO client 12 of the external device 3 (step S 302 ).
- the FIDO client 12 of the external device 3 establishes a CTAP channel with the Authenticator 10 of the registered terminal 1 (step S 303 ).
- the FIDO client 12 of the external device 3 establishes a CTAP channel with an Authenticator 10 of the new terminal 2 (step S 304 ).
- the external device 3 establishes each CTAP channel with both of the Authenticator 10 of the registered terminal 1 and the Authenticator 10 of the new terminal 2 .
- the FIDO client 12 of the external device 3 notifies the Registration Manager 100 of this CTAP channel establishment (step S 305 ).
- the Registration Manager 100 transmits an acquisition request for the service site list information 110 (see FIG. 7 ) to the Authenticator 10 of the registered terminal 1 (step S 306 ).
- the Authenticator 10 of the registered terminal 1 performs user confirmation to prevent unintended fraudulent acquisition of the list (step S 307 ).
- the user confirmation is user authentication using biometric information (fingerprint, face, iris, vein), information using PIN, or the like.
- the Authenticator 10 transmits the service site list information 110 stored in the Authenticator 10 to the Registration Manager 100 (step S 308 ).
- acquisition of the service site list information of procedure 1 of FIG. 6 .
- the subsequent sequence corresponds to a process repeated for all the sites in the service site list information (corresponding to procedures 2 to 4 in FIG. 6 , see a frame with a dot-dash line in FIG. 7 ).
- the Registration Manager 100 transmits a DNS query to a DNS server 30 to inquire for a registration endpoint (step S 309 ) with reference to the acquired service site list information 110 (see FIG. 6 ).
- the DNS server 30 transmits the registration endpoint to the Registration Manager 100 , and the Registration Manager 100 acquires the registration endpoint (step S 310 ).
- the Registration Manager 100 transmits the acquired registration endpoint to a user agent 11 of the external device 3 (step S 311 ).
- the user agent 11 of the external device 3 accesses the registration endpoint on a Web application server 211 of the service site 20 (step S 312 ).
- the Web application server 211 of the service site 20 outputs a FIDO authentication request to a FIDO server 212 of the service site 20 to start FIDO authentication (step S 313 ).
- a FIDO standard Authentication operation is performed via the Web application server 211 of the service site 20 , the user agent 11 and the FIDO client 12 of the external device 3 , between the FIDO server 212 of the service site 20 and the Authenticator 10 of the registered terminal 1 .
- the FIDO standard authentication operation is to acquire the service site list information 110 of all service sites from the registered terminal 1 , and perform FIDO authentication using the registered terminal 1 as an external Authenticator to log in to each site. After that, the new terminal 2 is used as an external Authenticator to newly perform Registration.
- the FIDO server 212 of the service site 20 issues a FIDO Authentication Request to the Web application server 211 (step S 314 ), and the Web application server 211 transmits this FIDO Authentication Request to the user agent 11 of the external device 3 (step S 315 ).
- the user agent 11 of the external device 3 transmits the FIDO Authentication Request to the FIDO client 12 of the external device 3 (step S 316 ), and the FIDO client 12 transmits this FIDO Authentication Request to the Authenticator 10 of the registered terminal 1 (step S 317 ).
- the Authenticator 10 of the registered terminal 1 performs user confirmation by biometric authentication with biometric information (fingerprint, iris, vein) or the like (step S 318 ). Note that in order to reduce user burden, for example, biometric authentication by a fingerprint, as the biometric authentication, is performed. Authentication within a predetermined time may be omitted.
- the Authenticator 10 of the registered terminal 1 signs the random number generated by the FIDO server 212 with a private key of the Authenticator 10 (step S 118 ).
- the Authenticator 10 transmits a FIDO Authentication Response signed with the private key to the FIDO client 12 (step S 320 ), the FIDO client 12 transmits this FIDO Authentication Response to the user agent 11 of the external device 3 (step S 321 ), and the user agent 11 of the external device 3 transmits the FIDO Authentication Response to the Web application server 211 of the service site 20 (step S 322 ).
- the Web application server 211 of the service site 20 transmits the FIDO Authentication Response to the FIDO server 212 of the service site 20 (step S 323 ).
- step S 314 to step S 323 described above the registered terminal 1 is used as an external Authenticator, to perform FIDO authentication and log in. These steps correspond to the FIDO standard Authentication operation.
- the FIDO server 212 of the service site 20 transmits FIDO authentication OK to the Web application server 211 of the service site 20 (step S 324 ), to establish a TLS Session between the Web application server 211 of the service site 20 and the user agent 11 of the external device 3 (step S 325 ). Once the TLS Session is established, the Web application server 211 notifies the FIDO server 212 of FIDO registration start (step S 326 ).
- the FIDO standard Registration operation is to use the registered terminal 1 as an external Authenticator to perform FIDO authentication and log in, and then use the new terminal 2 as an external Authenticator to newly perform Registration processing.
- the FIDO server 212 of the service site 20 issues a FIDO Registration Request to the Web application server 211 (step S 327 ), and the Web application server 211 transmits this FIDO Registration Request to the user agent 11 of the external device 3 (step S 328 ).
- the user agent 11 of the external device 3 transmits the FIDO Registration Request to the FIDO client 12 (step S 329 ), and the FIDO client 12 transmits this FIDO Registration Request to the Authenticator 10 of the new terminal 2 (step S 330 ).
- the Authenticator 10 of the new terminal 2 performs user confirmation by biometric authentication with biometric information (fingerprint, iris, vein), or the like (step S 331 ). Note that in order to reduce user burden, for example, biometric authentication by a fingerprint, as the biometric authentication, is performed. Authentication within a predetermined time may be omitted.
- the Authenticator 10 of the new terminal 2 newly generates a FIDO authentication (unregistered) private key using the CTAP (step S 332 ).
- the Authenticator 10 of the new terminal 2 transmits the generated private key to the FIDO client 12 of the external device 3 (step S 333 ).
- the FIDO client 12 of the external device 3 transmits the generated private key to the user agent 11 of the external device 3 (step S 334 ).
- the user agent 11 of the external device 3 transmits this FIDO Authentication (unregistered) private key as a FIDO Registration Response to the Web application server 211 of the service site 20 (step S 335 ).
- the Web application server 211 of the service site 20 transmits this FIDO Registration Response to the FIDO server 212 of the service site (step S 336 ).
- step S 327 to step S 336 the new terminal 2 is used as an external Authenticator to newly perform Registration processing. These steps correspond to the FIDO standard Registration operation.
- the FIDO server 212 of the service site 20 transmits FIDO authentication OK to the Web application server 211 of the service site 20 in response to reception of the FIDO Registration Response (step S 337 ).
- the Web application server 211 transmits registration completion of the FIDO Registration Request to the user agent 11 of the external device 3 (step S 338 ).
- the user agent 11 notifies the Registration Manager 100 of the registration completion of the FIDO Registration Request (step S 339 ).
- the Registration Manager 100 confirms that Registration of the newly generated keys at the new terminal 2 is completed for all service sites. In a case where the Registration of keys of the new terminal 2 for all service sites is completed, the Registration Manager 100 issues a completion notification to the user to terminate the sequence (step S 340 ).
- the Registration Manager 100 repeats the process for all sites in the service site list information, there may be a case where registration of a certain service site is not completed due to a communication failure or the like.
- the retry control and the display control of a registration progress status is described later in FIG. 8 .
- the Registration Manager 100 is located on the side of the external device 3 different from the registered terminal 1 and the new terminal 2 .
- the Registration Manager 100 acquires a URL list of all service sites from the registered terminal 1 , and performs FIDO authentication using the registered terminal 1 as an external Authenticator 10 to log in to each service site. After that, the new terminal 2 is used as an external Authenticator 10 to newly perform Registration.
- the present embodiment can bring the same benefits as the first embodiment and the second embodiment, i.e., improve user convenience in terms of Registration on a plurality of service sites.
- There is no burden of managing service sites that are being utilized Registration is demanded to be performed at the beginning of using the new terminal) by the user itself.
- work burden on the user is reduced when the number of service sites increases.
- the Registration Manager 100 is located on the external device 3 side, which makes it possible to minimize functional configuration required on terminal sides. Resources of terminals can be secured. In a case where there is a constraint on the functionality of the terminals, it is also possible to make selection on an external device 3 side having higher functionality.
- FIG. 8 is a sequence diagram illustrating a retry control and progress status notification.
- the Registration Manager 100 may be located either on the registered terminal 1 side, on the new terminal 2 side, or external to the terminals 1 and 2 .
- Registration target service sites 20 is assumed to be a service site A 21 , a service site B 22 , and a service site C 23 .
- a user start operation is transmitted to a Registration Manager 100 (step S 401 ), and the Registration Manager 100 acquires service site list information 110 from the registered terminal 1 (step S 402 ). Then, the Registration Manager 100 notifies the user of registration start (step S 403 ). Note that a specific sequence leading to the acquisition of the service site list information 110 from the user start operation is described in detail with reference to FIGS. 3 , 5 , and 7 .
- the user of the terminal is notified of “registration start” and that the number of registration target sites is “3” as the progress status.
- This notification is displayed, for example, on a display screen of the terminal in the notification field of the application (App).
- “REGISTRATION START” and “TARGET: 3, COMPLETED: 0, FAILED: 0” are displayed.
- the Registration Manager 100 performs Registration using the registered terminal 1 or the new terminal 2 as an external Authenticator by the CTAP for each service site.
- the Registration Manager 100 outputs a FIDO authentication start request to start FIDO authentication for registration with the service site A 21 (step S 404 ) and performs the FIDO standard Authentication operation with the registered terminal 1 (step S 405 ).
- the Registration Manager 100 receives a FIDO authentication result from the service site A 21 (step S 406 ).
- the Registration Manager 100 outputs a FIDO authentication registration request to the service site A 21 to start FIDO authentication registration (step S 407 ) and performs the FIDO standard Registration operations with the new terminal 2 (step S 408 ).
- the Registration Manager 100 receives a FIDO authentication registration result from the service site A 21 (step S 409 ).
- the Registration Manager 100 notifies the user of the update of the registration progress status (step S 410 ).
- the Registration Manager 100 outputs a FIDO authentication start request to start FIDO authentication for registration with the service site B 22 (step S 411 ).
- the FIDO authentication start request issued by the Registration Manager 100 has not reached the service site B 22 (see reference sign i and X mark in FIG. 8 ). It is assumed that the FIDO authentication start request has not reached the service site B 22 due to a communication failure or the like. As indicated by reference sign j in FIG. 8 , in a case where there is no response from the service site B 22 , the Registration Manager 100 performs a first retry after a certain period of time. The Registration Manager 100 again transmits a FIDO authentication start request to the service site B 22 (step S 412 ).
- the retry is successful in transmitting the FIDO Authentication start request to the service site B 22 , and the FIDO standard authentication operation is performed with the registered terminal 1 (step S 413 ).
- the Registration Manager 100 receives a FIDO authentication result from the service site B 22 (step S 414 ).
- the Registration Manager 100 outputs a FIDO authentication registration request to the service site B 22 to start FIDO authentication registration (step S 415 ) and performs the FIDO standard Registration operations with the new terminal 2 (step S 416 ).
- the Registration Manager 100 receives a FIDO authentication registration result from the service site B 22 (step S 417 ).
- the Registration Manager 100 notifies the user of the update of the registration progress status (step S 418 ).
- the Registration Manager 100 outputs a FIDO authentication start request to start FIDO authentication for registration with the service site C 23 (step S 419 ).
- the FIDO authentication start request issued by the Registration Manager 100 has not reached the service site C 23 (see reference sign 1 and X mark in FIG. 8 ). At this stage, it is assumed that the FIDO authentication start request has not reached the service site C 23 due to a communication failure or the like.
- the Registration Manager 100 performs a first retry after a certain period of time.
- the Registration Manager 100 transmits a FIDO authentication start request to the service site C 23 in the first retry (step S 420 ).
- the FIDO authentication start request for the service site C 23 by the first retry has not reached the service site C 23 (see reference sign n and X mark in FIG. 8 ).
- the Registration Manager 100 performs a second retry after a certain period of time.
- the Registration Manager 100 transmits a FIDO authentication start request to the service site C 23 in the second retry (step S 421 ).
- the FIDO authentication start request for the service site C 23 has not reached the service site C 23 even on the second retry (see reference sign p and X mark in FIG. 8 ). In this case, it is assumed that there is a severe communication failure or that the service site C 23 is not connected to the network.
- the Registration Manager 100 determines registration failure to the service site C 23 after a certain number of retries (two times here), and terminates the registration processing to the service site C 23 .
- the Registration Manager 100 notifies the registration termination on the service site C 23 (registration failure) (step S 422 ).
- “REGISTRATION COMPLETION” and “TARGET: 3, COMPLETED: 2, FAILED: 1” are displayed on the terminal as the progress status for the user.
- the Registration Manager 100 notifying the user of the registration progress status to each service site, the user can confirm the registration progress status for service sites (the number of target sites, the number of registration completion, registration failure). Unauthorized sites can also be identified by specifying invalid sites.
- the Registration Manager 100 may perform retry control to perform a predetermined number of retries, thereby increasing the possibility of connection by retry when registration on a certain service site fails due to a communication failure or the like. By providing the number of retry times, it is possible to reduce access time in a case where the connectivity is low (or there is no connectivity).
- Each of the above-described configurations, functions, processing units, processing means, and the like may be implemented in hardware by designing some or all of these components, for example, in an integrated circuit.
- Each of the above-described configurations, functions, and the like may be implemented in software for the processor to interpret and execute a program that implements the respective functions.
- Information such as programs, tables, files, and the like that implement each function can be held in a recording device such as a memory, a hard disk, and a Solid State Drive (SSD), or a recording medium such as an Integrated Circuit (IC) card, a Secure Digital (SD) card, an optical disk, or the like.
- SSD Solid State Drive
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
Providing a plurality of authentication schemes is a large operation burden for a service operator and may also cause security holes. Thus, it is conceivable that only FIDO is used for the authentication after the Registration of the terminal is performed at the timing of account creation or the like. Consider a use case of associating another different terminal with the account in such an environment.
An Authenticator 10 (secure region) of the
The Authenticator 10 (secure region) of the
NPL 3: Nishimura, et al., “Study on Secure Sharing of User Authentication Private Key between Terminals Belonging to Same Owner”, The Institute of Electronics, Information and Communication Engineers Technical Research Report, IN2016-172, pp. 449-454, 2017.
NPL 4: A. Takakuwa, et al., “The Transfer Access Protocol-Moving to New Authenticators in the FIDO Ecosystem”, Technical Report UW-CSE-17-06-01, The University of Washington, 2017.
As illustrated in
As illustrated in
In both sharing techniques of the above-described centralized sharing scheme and the above-described distributed sharing scheme, FIDO authentication may be used without newly performing Registration of a new terminal. However, the FIDO specification is based on the assumption that a private key is locked in a terminal, and in order to use any of the aforementioned sharing techniques, a terminal that conforms to the FIDO standard specification cannot be used as it is, and a uniquely extended terminal needs to be used.
In accordance with the present technique, Registration is performed automatically (without user work) at the time of initial access to a
The service
For example, the
Each of the
The normal region is an environment in which a general application program is executed. The normal region is provided with a
The service
Note that in known user authentication techniques, private keys and target site URLs have not been managed in association with each other.
The user performs adding or changing to the new terminal 2 (for example, having two of a smartphone and a tablet terminal, or changing the terminal). In this case, in order to utilize FIDO authentication by the
In a case where the
The above is “acquisition of the service site list information” of
In the following sequence, a FIDO standard Authentication operation is performed via the
Procedure 2: The
Procedure 3: The
Procedure 4: The
In the following sequence, a FIDO standard Authentication operation is performed via the
The
The
Procedure 2: The
Procedure 3: The
Procedure 4: After logging in, the
In a case where the
The above is “acquisition of the service site list information” of
A user start operation is transmitted to a Registration Manager 100 (step S401), and the
Note that a specific sequence leading to the acquisition of the service
As indicated by reference sign j in
The
The retry is successful in transmitting the FIDO Authentication start request to the service site B22, and the FIDO standard authentication operation is performed with the registered terminal 1 (step S413). The
Claims (4)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/824,488 US11917076B2 (en) | 2018-02-06 | 2022-05-25 | Terminal registration system and terminal registration method |
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018018867A JP6600369B2 (en) | 2018-02-06 | 2018-02-06 | Terminal registration system and terminal registration method |
JP2018-018867 | 2018-02-06 | ||
PCT/JP2019/004088 WO2019156081A1 (en) | 2018-02-06 | 2019-02-05 | Terminal registration system and terminal registration method |
US202016964806A | 2020-07-24 | 2020-07-24 | |
US17/824,488 US11917076B2 (en) | 2018-02-06 | 2022-05-25 | Terminal registration system and terminal registration method |
Related Parent Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/964,806 Division US11483159B2 (en) | 2018-02-06 | 2019-02-05 | Terminal registration system and terminal registration method |
PCT/JP2019/004088 Division WO2019156081A1 (en) | 2018-02-06 | 2019-02-05 | Terminal registration system and terminal registration method |
Publications (2)
Publication Number | Publication Date |
---|---|
US20220286296A1 US20220286296A1 (en) | 2022-09-08 |
US11917076B2 true US11917076B2 (en) | 2024-02-27 |
Family
ID=67548096
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/964,806 Active 2039-05-14 US11483159B2 (en) | 2018-02-06 | 2019-02-05 | Terminal registration system and terminal registration method |
US17/824,488 Active 2039-03-12 US11917076B2 (en) | 2018-02-06 | 2022-05-25 | Terminal registration system and terminal registration method |
US17/824,670 Pending US20220286297A1 (en) | 2018-02-06 | 2022-05-25 | Terminal registration system and terminal registration method |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/964,806 Active 2039-05-14 US11483159B2 (en) | 2018-02-06 | 2019-02-05 | Terminal registration system and terminal registration method |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/824,670 Pending US20220286297A1 (en) | 2018-02-06 | 2022-05-25 | Terminal registration system and terminal registration method |
Country Status (3)
Country | Link |
---|---|
US (3) | US11483159B2 (en) |
JP (1) | JP6600369B2 (en) |
WO (1) | WO2019156081A1 (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6600369B2 (en) * | 2018-02-06 | 2019-10-30 | 日本電信電話株式会社 | Terminal registration system and terminal registration method |
FR3095528B1 (en) * | 2019-04-25 | 2021-05-21 | CopSonic | REMOTE VALIDATION AUTHENTICATION MATERIAL TOKEN |
JP2021069402A (en) * | 2019-10-29 | 2021-05-06 | 株式会社三洋物産 | Game machine |
US11777917B2 (en) | 2020-10-15 | 2023-10-03 | Cisco Technology, Inc. | Multi-party cloud authenticator |
US20230141952A1 (en) * | 2020-11-09 | 2023-05-11 | Medical Data Networks, LLC | System and method for third-party password-less access to a secure database |
EP4080390A1 (en) * | 2021-04-19 | 2022-10-26 | Thales DIS France SA | A method for granting a user access through a user access device hosting a client application to a service coming from a set of services of a server application hosted by a distant server |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140289833A1 (en) | 2013-03-22 | 2014-09-25 | Marc Briceno | Advanced authentication techniques and applications |
US20150257004A1 (en) | 2014-03-07 | 2015-09-10 | Cellco Partnership D/B/A Verizon Wireless | Symbiotic biometric security |
US9294274B2 (en) | 2013-09-19 | 2016-03-22 | Intel Corporation | Technologies for synchronizing and restoring reference templates |
JP2017152877A (en) | 2016-02-24 | 2017-08-31 | 日本電信電話株式会社 | Electronic key re-registration system, electronic key re-registration method, and program |
US11483159B2 (en) * | 2018-02-06 | 2022-10-25 | Nippon Telegraph And Telephone Corporation | Terminal registration system and terminal registration method |
-
2018
- 2018-02-06 JP JP2018018867A patent/JP6600369B2/en active Active
-
2019
- 2019-02-05 US US16/964,806 patent/US11483159B2/en active Active
- 2019-02-05 WO PCT/JP2019/004088 patent/WO2019156081A1/en active Application Filing
-
2022
- 2022-05-25 US US17/824,488 patent/US11917076B2/en active Active
- 2022-05-25 US US17/824,670 patent/US20220286297A1/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140289833A1 (en) | 2013-03-22 | 2014-09-25 | Marc Briceno | Advanced authentication techniques and applications |
US9294274B2 (en) | 2013-09-19 | 2016-03-22 | Intel Corporation | Technologies for synchronizing and restoring reference templates |
US20150257004A1 (en) | 2014-03-07 | 2015-09-10 | Cellco Partnership D/B/A Verizon Wireless | Symbiotic biometric security |
JP2017152877A (en) | 2016-02-24 | 2017-08-31 | 日本電信電話株式会社 | Electronic key re-registration system, electronic key re-registration method, and program |
US11483159B2 (en) * | 2018-02-06 | 2022-10-25 | Nippon Telegraph And Telephone Corporation | Terminal registration system and terminal registration method |
Non-Patent Citations (5)
Title |
---|
Fidoalliance.org, [online], "FIDO 2.0: Client to Authenticator Protocol," Oct. 19, 2016, retrieved on Dec. 20, 2017, retrieved from URL<https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html>, 24 pages. |
Fidoalliance.org, [online], "Simpler, Stronger Authentication—FIDO is the World's Largest Ecosystem for Standards-Based, Interoperable Authentication," 2017, retrieved on Dec. 20, 2017, retrieved from URL<https://fidoalliance.org/>, 3 pages. |
Nishimura et al., "A Study on Re-Registration of Authentication Key with Terminal Change in Mobile Terminal-Based Public Key Authentication System," Institute of Electronics, Information and Communication Engineers (IEICE), 2018, 117(460):69-74, 13 pages (with English Translation). |
Nishimura et al., "A Study on Secure Sharing of Private Key for User Authentication Among Terminals Belonging to the Same Owner," Institute of Electronics, Information and Communication Engineers (IEICE), 2017, 116(485):449-454, 13 pages (with English Translation). |
Takakuwa et al., "The Transfer Access Protocol—Moving to New Authenticators in the FIDO Ecosystem," Paul G. Allen School of Computer Science & Engineering, Jun. 2017, 16 pages. |
Also Published As
Publication number | Publication date |
---|---|
US20210058256A1 (en) | 2021-02-25 |
US20220286296A1 (en) | 2022-09-08 |
JP6600369B2 (en) | 2019-10-30 |
JP2019140423A (en) | 2019-08-22 |
US11483159B2 (en) | 2022-10-25 |
WO2019156081A1 (en) | 2019-08-15 |
US20220286297A1 (en) | 2022-09-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11917076B2 (en) | Terminal registration system and terminal registration method | |
CN110582768B (en) | Apparatus and method for providing secure database access | |
EP2919435B1 (en) | Communication terminal and secure log-in method and program | |
US10038690B2 (en) | Multifactor authentication processing using two or more devices | |
US9401909B2 (en) | System for and method of providing single sign-on (SSO) capability in an application publishing environment | |
US10601813B2 (en) | Cloud-based multi-factor authentication for network resource access control | |
US20070156592A1 (en) | Secure authentication method and system | |
US9185102B2 (en) | Server system and control method | |
WO2013119967A1 (en) | Systems and methods for password-free authentication | |
CN110781465B (en) | BMC remote identity verification method and system based on trusted computing | |
JP2011215753A (en) | Authentication system and authentication method | |
JP7269486B2 (en) | Information processing device, information processing method and information processing program | |
CN112565172A (en) | Control method, information processing apparatus, and information processing system | |
KR101619928B1 (en) | Remote control system of mobile | |
JP2016085638A (en) | Server device, terminal device, system, information processing method, and program | |
US11716331B2 (en) | Authentication method, an authentication device and a system comprising the authentication device | |
CN109076066B (en) | Method for using encryption and authentication methods and system for implementing the method | |
KR20100008893A (en) | Method for enrollment and authentication using private internet access devices and system | |
EP2530618A1 (en) | Sign-On system with distributed access | |
US11962583B2 (en) | Authentication system using access point device and authentication server to handle a device's network access authentication request | |
JP2018032150A (en) | Authentication processing system, authentication auxiliary server, and web display program | |
CN114090996A (en) | Multi-party system mutual trust authentication method and device | |
CN118118227A (en) | Unified identity authentication method and device | |
WO2020141025A1 (en) | Method and system for managing access to a service | |
WO2020083503A1 (en) | Confidentiality and integrity of user input in web pages |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
AS | Assignment |
Owner name: NIPPON TELEGRAPH AND TELEPHONE CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NISHIMURA, HIDEO;YAMASHITA, TAKAO;YOSHIMURA, YASUHIKO;AND OTHERS;SIGNING DATES FROM 20200421 TO 20200713;REEL/FRAME:063261/0816 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |